HIPAA%20and%20Employer%20Group%20Health%20Plans:%20Nothing%20is%20Simple - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA%20and%20Employer%20Group%20Health%20Plans:%20Nothing%20is%20Simple

Description:

No -- You can delegate tasks, but can't delegate all HIPAA responsibilities. 65. Compliance Dates ... Arch Street. Philadelphia, PA 19103. beth.rubin_at_dechert. ... – PowerPoint PPT presentation

Number of Views:93
Avg rating:3.0/5.0
Slides: 72
Provided by: dpr79
Category:

less

Transcript and Presenter's Notes

Title: HIPAA%20and%20Employer%20Group%20Health%20Plans:%20Nothing%20is%20Simple


1
HIPAA and Employer Group Health PlansNothing is
Simple
  • Beth L. Rubin
  • March 26, 2003
  • ? 2003 Dechert LLP

2
HIPAA Applicability
  • Health Plans -- including employer group health
    plans
  • Health Care Providers -- that transmit any health
    information in electronic form
  • Health Care Clearinghouses

3
Health Plan Definition
  • Health plan is broadly defined
  • An individual or group plan that provides, or
    pays the cost of, medical care
  • Includes most ERISA employer welfare benefit
    plans, insured and self-funded, plus some
    non-ERISA plans

4
Privacy Rule Chronology
  • Proposed Rule November 1999
  • Final Rule December 2000
  • Comment period March 2001
  • Proposed Changes March 2002
  • Final Final Rule August 2002
  • Guidance released December 2002
  • Compliance Date April 14, 2003 (large
    plans)
  • Compliance Date April 14, 2004 (small plans)

5
Health Plans
  • Health plans must comply with all the Privacy
    Standards that apply to Providers, plus certain
    Standards applicable only to health plans

6
Health Plans
  • Health Plans must comply with
  • Restrictions on Uses and Disclosures of PHI
  • Plan Member Rights Requirements
  • Administrative Requirements
  • Firewall Requirements Separation between the
    plan and plan sponsor

7
Restrictions on Uses and Disclosures
  • Covered entities may not use or disclose PHI,
    except as permitted or required under the
    Standards
  • Treatment, payment, and health care operations
    (TPO)

8
Restrictions on Uses and Disclosures
  • Authorizations
  • For uses and disclosures not otherwise permitted
    by the rule
  • Authorizations are necessary for some, but not
    all, purposes other than TPO
  • Authorization content -- core elements

9
Restrictions on Uses and Disclosures
  • Minimum Necessary Standard
  • Business Associate Requirements, including
    re-contracting
  • De-identification requirements
  • limited data set

10
Uses and Disclosures without Authorization or
Opportunity to Agree
  • Certain public health authorities
  • Government authorities authorized to receive
    reports on child abuse or neglect
  • FDA reporting, tracking and surveillance

11
Uses and Disclosures without Authorization or
Opportunity to Agree
continued
  • Health oversight activities
  • Judicial or administrative proceedings
  • Law enforcement

12
Business Associate Definition
  • A person who, on behalf of a covered entity,
    performs a function involving the use or
    disclosure of IHI
  • (includes claims processing, data analysis,
    utilization review, quality assurance, billing,
    benefit management, and repricing)
  • OR

13
Business Associate Definition
  • A person who provides legal, actuarial,
    accounting, consulting, data aggregation,
    management, administrative, accreditation, or
    financial services to or for a covered entity,
    where this service involves disclosure of IHI

14
Liability
  • A health plan may be found liable if
  • the plan knew of a pattern of activity of a
    business associate that violates the business
    associates obligation under its contract with
    the plan, unless the plan took reasonable steps
    to end the violation

15
Liability
  • If such steps were unsuccessful, the plan
  • Terminated the contract, if feasible, or
  • If termination was not feasible, reported the
    problem to the Secretary of DHHS

16
Business Associate Contracts
  • Satisfactory assurance requirement
  • Plans must have contracts with business
    associates that include many specified terms
  • (includes plan administrators)
  • Transition period

17
Member Rights
  • Right to Notice of Privacy Practices
  • Strict content requirements
  • Self-funded plans must provide notice to members
    by the compliance date
  • After compliance date, to new members at the time
    of enrollment

18
Member Rights
  • Notice
  • Insured plans that do not create or receive PHI
    -- notice is provided by insurer/HMO
  • Insured Plans that create or receive PHI must
    maintain a notice and provide it upon request

19
Member Rights
  • Right to request restrictions on uses and
    disclosures
  • Plans are not required to agree to requested
    restrictions
  • More confidential mode of communication

20
Member Rights
  • Right to access PHI
  • Members have the right to access, inspect, and
    copy their health information
  • Strict deadlines and procedures

21
Member Rights
  • Right to amend PHI
  • Plans may deny requests for amendment if the PHI
  • Was not created by the plan
  • Is accurate and complete

22
Member Rights
  • Right to an accounting of certain disclosures of
    PHI made by plan during the previous 6 years
  • Exceptions

23
Administrative Requirements
  • Appoint a privacy officer
  • Designate a contact person or office responsible
    for receiving privacy-related complaints

24
Administrative Requirements
  • Plan workforce training
  • Policies and procedures
  • Retraining -- if the policies and procedures
    change materially
  • Documentation
  • Combine with Security training

25
Administrative Requirements
  • Privacy safeguards
  • Install appropriate administrative, technical,
    and physical safeguards
  • Scalability
  • Intersection with Security Rule

26
Administrative Requirements
  • Complaints
  • Process
  • Documentation

27
Administrative Requirements
  • Sanctions
  • Establish and apply appropriate sanctions against
    plan workforce members who violate the plans
    privacy policies and procedures or the Privacy
    Standards

28
Administrative Requirements
  • Mitigation
  • Mitigate, if practicable, any harmful effect
    resulting from a violation of the plans policies
    and procedures or the Standards

29
Administrative Requirements
  • Privacy policies and procedures

30
Firewall Requirements
  • HIPAA applies to health plans, not plan sponsors
  • For this reason, the Standards focus on plans,
    and force plans to impose certain requirements on
    plan sponsors

31
FIREWALL REQUIREMENTS
  • Right brain vs. Left Brain
  • Brain firewall
  • Right hand vs. Left Hand
  • Wearing different hats while performing different
    functions
  • Is training important?

32
Firewall Requirements
  • Plan sponsors may access identifiable health
    information only for plan administration purposes

33
Firewall Requirements
  • Plan sponsors may NOT access PHI for
    employment-related actions without written
    permission from the plan member

34
Firewall Requirements
  • Recent Clarification
  • Employment records are not considered Protected
    Health Information

35
Firewall Requirements
  • Plan Documents
  • If Plan Sponsors receive PHI other than summary
    and enrollment/disenrollment information, they
    must amend their plan documents to include
    specified terms

36
Firewall Requirements
  • Exceptions Group health plans may give plan
    sponsors
  • Summary health information
  • Enrollment/Disenrollment information

37
Firewall Requirements
  • Summary Information (mostly de-identified) may be
    disclosed to a plan sponsor for the purpose of
  • Obtaining bids
  • Modifying, amending, or terminating the plan

38
Plan Documents
  • GHP may disclose PHI to the PS only upon receipt
    of a certification that the plan documents have
    been amended to include the following
  • Permitted and required uses and disclosures of
    such information by PS

39
Plan Documents
  • PS agrees not to use or further disclose the
    information other than as permitted or required
    by the plan documents or as required by law

40
Plan Documents
  • PS agrees to ensure that any agents, including
    subcontractors, to whom it gives PHI agree to the
    same restrictions

41
Plan Documents
  • PS agrees not to use or disclose PHI for
    employment-related actions or in connection with
    any other benefit or employee benefit plan
  • PS agrees to report to GHP any use or disclosure
    inconsistent with these requirements

42
Plan Documents
  • PS agrees to make available PHI for employee
    access, amendment, and accounting rights
  • PS agrees to make its internal practices and
    records relating to the PHI available to DHHS for
    determining Plans compliance with the Standards

43
Plan Documents
  • When no longer needed, PS agrees to return or
    destroy all information received from GHP
  • If not feasible to return or destroy the
    information, PS agrees to limit any further uses
    and disclosures of the information

44
Plan Documents
  • Plan documents also must establish adequate
    separation between the GHP and PS by
  • Describing those employee positions (or other
    persons under control of PS) who may access the
    information
  • Individuals who use identifiable information
    relating to payment or health care operations of
    GHP

45
Plan Documents
  • Restrict access to and use by such employees and
    other persons to the plan administration
    functions that the PS performs for the GHP

46
Plan Document
  • Plan documents also must provide an effective
    mechanism for resolving issues of noncompliance
    by those designated persons

47
Firewall Requirements
  • Reminder
  • Written authorization from the member is required
    for disclosure of PHI to a plan sponsor for
  • Employment-related actions
  • Actions relating to any other benefit or plan
    maintained by the plan sponsor

48
Insured Plans
  • Insured plans that do NOT receive PHI (other than
    summary and enrollment/disenrollment) are exempt
    from many requirements, including

49
Insured Plans
  • Exempt from
  • Privacy officer
  • Workforce training
  • Privacy safeguards
  • Complaints
  • Workforce sanctions
  • Mitigation

50
Insured Plans
  • Exempt from
  • Policies and procedures
  • Notice of privacy practices
  • Patient rights of access, amendment and
    accounting
  • Why? Individuals enrolled in these plans have
    these rights through the insurer/HMO

51
Insured Plans
  • Do you create or receive PHI?
  • From the Administrator/Insurer?
  • From Plan members?
  • E.g., Assistance with claims
  • Keep plan sponsor employees outside the Plan
    firewall

52
GHP Action Plan
  • Develop a HIPAA Group Health Plan privacy and
    security action plan
  • Phases may include assessment, strategic
    analysis, and implementation

53
GHP Action Plan
  • Outline discrete tasks for each phase, including
    re-negotiating business associate contracts
  • Set timelines

54
Initial Documents
  • Inventory/Assessment Questionnaires?
  • Plan document amendments
  • Policies and Procedures
  • Notice of Privacy Practices
  • Forms/Logs

55
Policies and Procedures
  • What types of Plan policies and procedures are
    needed?
  • Overall privacy policy addressing handling of PHI
    and adequate separation
  • Must be consistent with plan documents
  • May address minimum necessary standard

56
Policies and Procedures
  • Plan member rights (detailed)
  • Plan Member Privacy Complaints
  • Plan Workforce Training
  • Privacy-related Workforce Sanctions

57
Policies and Procedures
  • Policy on Safeguards for Protecting PHI --
    detailed
  • Policy on Plan Documentation and Retention of
    Certain Records
  • Policy on Authorizations (including Authorization
    form)

58
Dos and Donts of Policy Drafting
  • Avoid overly broad, absolute pronouncements about
    security and privacy
  • Avoid extraneous detail
  • Avoid overstating protections and safeguards
  • Never ensure

59
Dos and Donts of Policy Drafting
  • Allow flexibility for practice variation and
    innovation if permitted under the Privacy
    Standards
  • Do not adopt a policy or procedure that will not
    be, or is not capable of being, implemented

60
Selected Issues
  • Telephone inquiries from spouses/others regarding
    a members benefits/claims
  • Systems issue
  • Customer service problem
  • Employee/union issues
  • Creative solutions

61
Selected Issues
  • What is the Plan workforce? Which employees are
    Plan workforce members?
  • Consequences/potential liability related to
    wearing two hats
  • Training and workable sanctions
  • Clear policies and procedures

62
Selected Issues
  • Notice of Privacy Practices
  • Self-funded plans must send this notice soon
  • Will the TPA also be sending a notice?
  • Will plan members get two different notices with
    different privacy complaint contacts?

63
Selected Issues
  • Re-negotiation of third party administrator
    agreements
  • Add required business associate terms
  • Consider adding/modifying other related terms
  • Transition period

64
Selected Issues
  • Can a self-funded Plan use a TPA for all required
    tasks and not have policies and procedures,
    privacy officer, etc?
  • No -- You can delegate tasks, but cant delegate
    all HIPAA responsibilities

65
Compliance Dates
  • Small health plans (with annual receipts of 5
    million or less)
  • April 14, 2004
  • Other (not small health plans)
  • April 14, 2003

66
Penalties
  • Violating the privacy rule can create both civil
    and criminal liability
  • Nice HIPAA
  • HIPAA for crooks

67
Penalties
  • Civil penalties 100 per violation
  • Capped at 25,000 per person, per year, per
    standard

68
Penalties
  • Criminal penalties up to 250,000 and prison
    sentences of up to 10 years, if
  • Offense is committed with an intent to sell,
    transfer, or use the information for commercial
    advantage, personal gain, or malicious harm

69
Case Law
  • In May 2001, a federal judge noted that although
    compliance is not required until April 2003, the
    HIPAA privacy regulations are persuasive in that
    they demonstrate a strong federal policy of
    protection for patient medical records. U.S. v.
    Sutherland
  • The judge applied the HIPAA regulations to that
    case
  • Another judge recently did the same

70
Enforcement
  • A new standard of care for how health plans
    (employers) should handle identifiable health
    information?

71
  • Beth L. Rubin
  • Dechert LLP
  • 4000 Bell Atlantic Tower
  • 1717 Arch Street
  • Philadelphia, PA 19103
  • beth.rubin_at_dechert.com
  • 215.994.2535
Write a Comment
User Comments (0)
About PowerShow.com